You're using Dropbox API v1, a.k.a. the Core API. API v1 supports both OAuth 1 and OAuth 2. You seem to be mixing OAuth 1 and OAuth 2, but you're only supposed to use one or the other for any particular API call.

I.e., the "access_token" parameter and the "Authorization" header are ways to supply an OAuth 2 access token. The other "oauth_*" parameters are used for OAuth 1.

You should only use one of these methods at a time. We recommend using the Authorization header to pass an OAuth 2 access token. If you use that, you can get rid of the URL parameters.

I see my mistake. I tested it with a REST firefox plugin and both worked very well. The mistake is on my end.

In fact, if I give both the Authorization header and parameters, but with more than the needed parameters (my gem keeps inserting a "oauth_token" on top of the "access_token" for v1) then the error is

{"error": "Access token not found."

But if I include just what's necessary, but both of them still, I get this

{"error": "Cannot specify both an \"Authorization\" header and the URL/POST parameter \"access_token\"."}

So the errors are very helpful. I was just stuck on the first, never seeing the second. Hope this helps someone else too. Thanks Gregory!